Posted
by
samzenpus
on Wednesday June 09, 2010 @08:56PM
from the sieve-security dept.

Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

Since when [slashdot.org] does the interface being public [slashdot.org] have anything to do with whether accessing it is legal? The law makes statements about authorized and unauthorized access, not technically possible and technically impossible access. In all hacking crimes the system is happily serving up content exactly as built by the designers, but it's still a crime. In many cases, the system is even working as intended (no buffer overflows and the like) but if unauthorized access is obtained, it's still a crime.

Does anyone else remember this case [zdnet.co.uk] that was on slashdot some years ago? A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter. Obviously this destroyed his career.

This is the text of the law that convicted him.

a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case

By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.

Randomly searching directories for non-listed files? Is that a problem? What about typing "/private" to the end of a URL and finding something?

For instance with this story, it's not clear how the hacking group found the script in question. If it's not publicly listed is it a problem? The second it started returning what is obviously non-public information, is that a problem?

I completely agree that stumbling across something private on a public website is easy to do. But if the "stumbler" has to do a lot of work to stumble on the information...? (and I absolutely DON'T excuse AT&T for this leak either)

Nothing of that should be illegal. Come on, you can set up basic authentication in Apache in five lines in.htaccess [cyberciti.biz].

Any URL that doesn't require authentication should be fair game, imho. Anything less than that and we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

I thought we had already gotten to that point since the government can kick down your door and arrest you [thetechherald.com] for clicking on a hyperlink (which BTW IIRC they didn't even bother to collect a referrer). So remember kids, that link might be the information you want, might be a rickroll, or it might be a free ride to PMITA prison, you never know!

As for TFA, is anyone actually surprised AT&T left a door the size of a Mac truck wide open? Old Steve needs to be seriously looking at this, as what good is all that

The difference is sending a GET request to some URL is something we are supposed to do even without asking. This is a link [ethnologue.com]. How are you supposed to know if you can legally click it? Do you check with the domain owner of every link to see if you have permission before you click it?

The difference between a GET request and a malformed packet/running code on other's servers is that the GET is a legal, safe action that everyone on the web does hundreds of times per day.

Given they wrote a script to automatically generate SIM IDs which could then be passed to retrieve another email address, I suspect they were well aware that this was data they should not be accessing.

There was no need to retrieve over 100,000 addresses before notifying AT&T nor was there any need to share the security hole with others as was also done.

The leak shouldn't have been there, but the responsible thing to do upon discovery is report it, not exploit it.

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.

I usually just pass these type of posts by, but I must say that walking into someones house or climbing in a windows is totally, not even close to accessing a PUBLIC interface on a web site.A house or a window is quite obvious that you don't belong, but come on, how are you supposed to know that a PUBLIC interface was NOT meant to be PUBLIC.

Often he would return the merchandise to the store and explain how he wasn't really happy with the goods he acquired. He would then get store credit and usually sale the card off. This is of course all hearsay because I never witnessed the behavior.

Then one day I bumped into my "friend" at a Wal-Mart and I thought it would be a good idea to give him a good friendly greeting.

Analogies are why we can't have nice things. This gives a data provider the ability to make an innocently and legally undertaken action illegal after the action has been completed. I would suggest that we not extend powers we deny the government to AT&T.

It doesn't make it OK, but it certainly raises the chance of it happening, and one shouldn't be terribly surprised when it does.

That said, the appropriate response would be more along the lines of notifying the company that there's an issue, not publishing the contact info of an eighth of a million of their customers. After all, it's not the customer's fault that AT&T can't get their shit together. Though by all means, expose anyone with at AT&T email address if there's no response to your heads-up

When breaking and entering a house, there should be a difference whether the people cleaned out your house and it is empty of everything or if they just came in and swam in your swimming pool like in the movie "The girl next door". Sure, both is illegal, but on different levels.

One is clearly for pure profit, the other was not. Should both be put in jail for the same amount of time?

And if you leave your car open and the motor running and the keys in, where I live you could be charged as well. And the thief

Not only a poor analogy, but not applicable. A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.

And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked). If you accidentally leave confidential business records laying on the front counter of the store, and I see them there, I'm also doing nothing wrong-you left them in a public area, I just saw what was there.

At some point, yes, you are responsible to take reasonable security precautions. If you leave things in an area that the public is allowed to access, you can hardly yowl and scream when it becomes publicly known. Now, if you keep it in an area that is not normally accessible to the public and clearly is secured, and someone deliberately cracks in, you are much more likely to have a legitimate grievance. But only then, and this is not such a case. It was laying right out in the open for anyone at all to look at, and someone did.

To reasonably extend your analogy, they didn't come in through the front door - they came through the tradesman entrance. Services (trades) were expected to come through this interface not the general public. It is like testing the front door, finding yes you can come in but no you can't have that information and then finding that they left the services door unlocked and decided to waltz through there and get the information they were previous denied. Both are "public" entrances in the sense that they aren'

No, in the physical world you can be asked to leave, trespass doesn't apply until you have been informed that you are not welcome. I would consider HTACCESS to be the equivalent of an employees only sign which is the lowest form of sufficient proof for trespass.

So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

A house door or window is a perfect example of something that is "private" in the legal sense of the term.

HTTP, on the other hand, was developed primarily to allow people to publish documents for public consumption. If you place a web server on a network wide open to the public and do not protect access to your documents or indicate that you intended to do so with the equivalent of a "no trespassing" sign, you are giving the public an implicit license to view what you publish. HTTP is a publishing system after all. The similarity between "publish", "public", and "publication" is not coincidental. An implied license means authorization.

The law concerning electronic communications "interception" is relevant here:

"It shall not be unlawful under this chapter or chapter 121 of this title for any person -- (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;" (18 USC 2510 (g))

If you operate a web server that is "configured so that such communication is readily accessible to the general public" you have granted an implied license as strong as the one you have to listen to a run of the mill FM radio channel.

By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.

But the people who make the laws seldom understand the technical and practical realities of the situation.The people who exploit them do.Therefore most written law and court rulings are made with more concern about the motivation, than how easy (in computer terms) something can be done. Because the people most likely to do it are the ones looking to exploit it.

Unlike walking around naked with your curtains open, it's very unlikely a grandmother will happen to glance through 114,000 e-mail addresses.

.. or well, scrap the later part, I'm trying to find what the law actually says over at datainspektionen but it's hard to find anything relevant to the security of storing or sharing the personal data. I don't wanna claim too much in case it's not true:/

Safety measures31 The liable data manager must take appropriate technical and organizational measures to protect the personal data processed. These measures must achieve a level of security that is appropriate with regard to

a) the technical options available,b) what it would cost to implement the actions;c) the specific risks involved in the processing of personal data, andd) how sensitive the treated personal information is.

When the liable data manager uses a personal data assistant, the liable data manager must ensure that the personal data assistant can implement the security measures required and ensure that the personal data assistant actually take those measures.

Since the meaning of "hacker" has changed from "someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code" to "electronic burglar", who do we now call someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code?

We still call ourselves hackers, and revel in the thrill that outsiders think we are elite master cyber-criminals who get blowjobs while typing quickly on our keyboards, like in that film with Halle Berry.

What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".

Well, I was rather amused by the fact that "Goatse" "Leaked" something from said "Gaping Hole," I suppose that if you spend all your time playing with your "gaping hole," then something is eventually going to leak.

Apple doesn't have to open their wallet, they simply have to end their exclusive agreement with AT&T when it expires next year, that will cost AT&T a couple billion a year which is more than any lawsuit could possibly extract from them.

GNAA is a group of people who are occupied primarily in flooding the irc channels of their enemies. This attack obviously required very little in the way of technical skill, just proxying a bunch of requests to a server, and storing the results. The sad truth of the matter is that even idiots get lucky eventually.

I couldn't imagine why would a telco need user's mail address and how on earth trusts to the user entered mail address.

I also wonder if the infrastructure was using http or httpS for that communication, you know while collecting user mail addresses for some (??) reason.

You know what? It should be Apple to protest this massive leak at first place. Didn't they declare monopoly on location based advertising "to protect user privacy"? Eh, mail address in some organization named itself "goatse", anything worse c

I'm not a consumer, and least of all a gadget one. I'm a business guy and I like business toys. And when I buy a business toy, I consider the brand and the source, and almost always pay more to get the better source -- especially when the product/service is otherwise identical.

But when have you seen a consumer choose to buy an iPad from a source that's $10 more expensive than another they've found? Anyone here have friends who choose to pay more? Anyone have friends who chose an iPad from not AT&T because they actually thought about the AT&T factor? I'd bet otherwise.

Gawker doesn't suggest that "every iPad owner in the US" may have been exposed. It says every iPad 3G owner may have been exposed. I don't think that's splitting hairs, either, given the short time the 3G model has been available. Things are bad enough without making them seem worse.

The last thing that comes to my mind when I think goatse is security. That guy can't secure shit.And trust me, I've thought about alot of things while viewing / thinking of goatse..And security was definitely the last because I read an article about it on some site.

I'm surprised nobody else has commented how offensive it is that the group that found the leak published the email addresses. By all means publish the fact of the breach, get pie on AT&T's face, but why punish the users? That's just mean.

This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.

This is certainly a high-profile breach, but not apparently immediately catastrophic.

When you consider that some of this information belongs to people with *.mil email addresses, I think you're underestimating the shit storm that is about to be (well, SHOULD be) unleashed on AT&T and Apple.

On the bright side for Apple users, perhaps Apple can use this to break their exclusivity deal with AT&T? Perhaps Apple will learn the value of 'due diligence' before signing contracts in the future.

Your telco just loves to help anyone that take the time to request your data in bulk.
You had MS Sidekick data loss, Amazon 1984 data removal, Room 641A, googles data collection, now ipad email gape.
Time to buy a Dell streak, install Ubuntu and float on the Canonical cloud.
You will be safe from all but SCO as you hunt for a teclo that takes customer security very seriously.

'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

A classic textbook non-response from a corporation's P.R. machine. A guide, for those unfamiliar with the terminology:

Look in your spam box. Your email address has been leaked to V1agra merchants and worse, a million times over, whether you're an iPad user or not. Let's not act like these were some sort of unsoiled email addresses that have now been deflowered. There are no such things on the internet. Yeah, I don't want these jerks knowing what kind of gear I own, but in the big picture, I'd say that these people need a good spam blocker this week, and they needed it last week too.

I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T. I do wonder how Apple would spin if it were opened to other carriers and they all experienced the drop call issue?

Basically, Apple signed a five-year deal in 2007 because they badly needed a carrier who was willing to sink many millions into the release.

Here's the thing that sucks for early adopters: If you bought in '07, you had to sign a two-year deal with AT&T. Par for the course for a phone the way we've got it structured in the US. But after your two years are up, you'd still be stuck with AT&T for another three years due to the 5-year deal they have with Apple. Either that, or jailbreak your phone, etc.

Practically, though, the extra three years are no big deal for the early adopters... surely most of them would move onto a new phone after two years, since they are early adopters.

As much as I want my iPhone carrier-unlocked, what other US carrier with GSM/HSDPA and a nationwide footprint do I have access to?

Point being, what am I supposed to do with my newly unlocked iPhone - go to T-Mobile? Not really, at least not in this country. The use I can see for an unlocked US iPhone is simply that were I to travel overseas I could use a local SIM over there and use it with a native carrier instead of getting violated with international roaming fees.

Yes you could go to T-Mobile in the US, you just would not have 3G.. and if you think that is "usesless".. well not quite.. for example, I am on T-Mobile, and I went to Europe recently.. of course no 3G due to the freq differences.. but I still had Edge, and you know it wasn't that bad.. I could still use Google maps and navigation with Edge for some directions, and access some web pages.. Phone wise (it is a phone) if worked flawlessly.. Would I only want to "live on the Edge".. probably not.. BTW.. althou

I admit, I don't own an iPad so I might be slightly mistaken as to how this works but from the summery it mentions that Apple is the one that 'users, who must provide the company with their email addresses to activate their iPads' which indicates Apple is the wanting the email, not AT&T. Now if Apple wants the emails, why would if have a 3rd party (AT&T) hold on to this data and not just upload it all to their servers every few hours and delete the AT&T server of this information? Now, if Apple

Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads. [emphasis added]

ince this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?

From the summary: 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.'

If I give you my car keys, and you give them to someone else, and that person steals it, you can't claim it's not your fault. Y

Since the iPad/AT&T users actually gave their email addresses directly to AT&T through the sign-up web form, your analogy is a bit off. A better one is of a restaraunt that contracts with a specific vallet parking company. You give your keys to the valet company and they ding your car. The restaraunt is certainly in some way involved (having chosen the valet company), but at no time were they directly responcible.

Think back to FISA, Church report and The Puzzle Factory" and "The Crystal Palace" books.
If you need to worry about the NSA, you have a good sneaker net in place or know you are totally compromised.
ATT, Google, the NSA, fusion centers ect are a fact of life. But AT&T should have known better. They have a monopoly, the funds, skill set and understand US law.They seemed to have protected Room 641A rather well, how about protecting consumer data too:)
Real networks need real admins, not just Idiots Ou